Policies and data protection

University of Southampton Research Data Management Policy

The following guidance supports the University of Southampton Data Management Policy. All students are required to abide by the University’s policy. Taught students are exempted from the provisions regarding retention and deposit unless they have published peer-reviewed articles based on their research.

Planning

All students responsible for planning how they will collect, store and, if necessary, retain and destroy, their research data. In addition, doctoral students have to submit a Data Management Plan as part of their progression.
Storage

All students are responsible for ensuring their research materials are robustly backed up. The easiest way to do this is to use the networked storage provided by the University via OneDrive for the University of Southampton (available via University of Sothampton Office 365).

There are further storage options for doctoral students and staff, for the full list see Storage
Retention

Retention

Taught students are exempted from the provisions regarding retention and deposit unless they have published peer-reviewed articles based on their research. For more information see Retention.
Destruction

If your research involves human subjects, you will probably need to destroy the raw data at the end of the study. For more information on how to do this see Destruction.

Data Protection Act (2018)

If your research involves collecting data from living human subjects, or ‘special category data‘ (formerly referred to as sensitive data) then you must comply with the Data Protection Act (2018). The Act incorporates the EU General Data Protection Regulation (GDPR).

The key actions to reduce your risk are:

Raw data and all files containing contact details for individuals (such as consent forms) must only be stored on University servers, within the University network
If you are holding data locally on a laptop (for example during collection) the data must be encrypted and the laptop should be a University build laptop.
When sharing data with collaborators, do not share the raw data. Do not use cloud-based services. Do not share data with collaborators outside the University unless you know that a data sharing agreement is in place.
When moving data, do not email files instead use SafeSend or create a SharePoint site for you and your collaborators. SharePoint can also be accessed via University of Southampton Office 365

What if I lose some data or disclose by accident?

Do not delay, do not spend time trying to find the data, email databreach@soton.ac.uk as soon as you suspect the data loss may have happened.

Email databreach@soton.ac.uk
Liaise with Finance to get mobile number blocked (if appropriate)
If the lost device is a iPhone or iPad:
- Access iCloud.com and Find my iPhone with account on the item lost
- Click ‘all devices’
- Select device that is missing and click erase iPhone

Practical tips
- Use bcc not cc when emailing several participants at once.
- Anonymise your data as soon as practically possible after collecting it.
- Do not leave completed consent forms in public places.
- Do not save you anonymisation key in the same folder as your anonymised data.
- Keep contact details separate from your research data.
- All portable devices you use to collect data should, where practicably possible, be encrypted.
Useful links

Differences Between Consent For Ethics and Data Protection

Ethical guidelines issued by funders and the University cover how you can create, store, share and archive data concerned with human subjects. In addition, laws such as the Data Protection Act 2018, govern the processing of personal data.

The University is able to hold and share certain types of data, for example pseudonymised and anonymised research data. Data collected by staff and students in the course of their research and education constitute a ‘public task’ in law. Even sensitive research data can often be shared legally and ethically by using anonymisation and controlled access. In order to be able to do this it is important to consider potential data sharing and re-use scenarios well before the ethics process and data collection.

Be explicit in your consent forms and participant information sheets about your plans to make data available, who will be able to access the data, and how the data would be accessed and potentially re-used. You should not ask participants to consent to sharing their anonymised or pseudonmysied data but instead that they understand their anonymised or pseudonmysied data may be shared.

If you want to keep their contact details so they can be contacted for further research after your study is finished, you must get their explicit consent to do this. You must keep the contact details separately from your current study.

For more guidance see the Sensitive Data, Research Data and the GDPR pages. Expert guidance on ethics can be sought from your local Faculty Ethics Committee and the Research Integrity and Governance Office.

The next section looks at top tips for best practice, focusing on planning, file naming, version control and storage.